Analysis Overview
SHA256
b767aa5fd570102ea8dab56dae1c7506f1fdebd3b0dd22aa2dbe8540df6289ea
Threat Level: Likely malicious
The file valorant_full.exe was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 04:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 04:25
Reported
2024-06-14 04:27
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Stops running service(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\valorant_full.exe
"C:\Users\Admin\AppData\Local\Temp\valorant_full.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop FACEIT >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\net.exe
net stop FACEIT
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FACEIT
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop ESEADriver2 >nul 2>&1
C:\Windows\system32\net.exe
net stop ESEADriver2
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ESEADriver2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fluxauth.com | udp |
| US | 172.67.131.205:80 | fluxauth.com | tcp |
| US | 8.8.8.8:53 | 205.131.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/3460-0-0x00007FF6B4CE1000-0x00007FF6B54B0000-memory.dmp
memory/3460-2-0x00007FF8CDE60000-0x00007FF8CDE62000-memory.dmp
memory/3460-1-0x00007FF8CDE50000-0x00007FF8CDE52000-memory.dmp
memory/3460-3-0x00007FF6B4860000-0x00007FF6B6353000-memory.dmp
memory/3460-7-0x00007FF6B4860000-0x00007FF6B6353000-memory.dmp
memory/3460-8-0x00007FF6B4860000-0x00007FF6B6353000-memory.dmp
memory/3460-9-0x00007FF6B4CE1000-0x00007FF6B54B0000-memory.dmp
memory/3460-10-0x00007FF6B4860000-0x00007FF6B6353000-memory.dmp
memory/3460-11-0x00007FF6B4CE1000-0x00007FF6B54B0000-memory.dmp
memory/3460-12-0x00007FF6B4860000-0x00007FF6B6353000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 04:25
Reported
2024-06-14 04:27
Platform
win7-20240221-en
Max time kernel
3s
Max time network
1s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\valorant_full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\valorant_full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\valorant_full.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\valorant_full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\valorant_full.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\valorant_full.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\valorant_full.exe
"C:\Users\Admin\AppData\Local\Temp\valorant_full.exe"
Network
Files
memory/880-0-0x0000000140441000-0x0000000140C10000-memory.dmp
memory/880-11-0x000000013FFC0000-0x0000000141AB3000-memory.dmp
memory/880-10-0x0000000077320000-0x0000000077322000-memory.dmp
memory/880-8-0x0000000077320000-0x0000000077322000-memory.dmp
memory/880-6-0x0000000077320000-0x0000000077322000-memory.dmp
memory/880-5-0x0000000077310000-0x0000000077312000-memory.dmp
memory/880-3-0x0000000077310000-0x0000000077312000-memory.dmp
memory/880-1-0x0000000077310000-0x0000000077312000-memory.dmp
memory/880-15-0x000000013FFC0000-0x0000000141AB3000-memory.dmp
memory/880-16-0x000000013FFC0000-0x0000000141AB3000-memory.dmp